Yeah there are questions about their response time to notify the public, as well as the reportedly piss-poor encryption in the first place.... I think that's what irks me the most.... That the info wasn't even halfway well protected.

Right you've hit on the two most compelling issues in my mind...the failure to notify and failure to encrypt (if true). That they were negligent in the manner of their security is something that's going to be harder to prove since it's a reasonable standard test (this refers to the prevention of hacking in the first instance).